I never had problems with permission again after I know the real power of sudo

@ColdWater@lemmy.ca · 5 days ago

I never had problems with permission again after I know the real power of sudo

Arthur Besse · 5 days ago

Why memorize a different command? I assume sudoedit just looks up the system’s EDITOR environment variable and uses that. Is there any other benefit?

I don’t use it, but, sudoedit is a little more complicated than that.

details

from man sudo:

When invoked as sudoedit, the -e option (described below), is implied.

       -e, --edit
               Edit one or more files instead of running a command.   In  lieu
               of  a  path name, the string "sudoedit" is used when consulting
               the security policy.  If the user is authorized by the  policy,
               the following steps are taken:

               1.   Temporary  copies  are made of the files to be edited with
                    the owner set to the invoking user.

               2.   The editor specified by the policy is run to edit the tem‐
                    porary files.  The sudoers policy  uses  the  SUDO_EDITOR,
                    VISUAL  and  EDITOR environment variables (in that order).
                    If none of SUDO_EDITOR, VISUAL  or  EDITOR  are  set,  the
                    first  program  listed  in the editor sudoers(5) option is
                    used.

               3.   If they have been modified, the temporary files are copied
                    back to their original location and the temporary versions
                    are removed.

               To help prevent the editing of unauthorized files, the  follow‐
               ing  restrictions are enforced unless explicitly allowed by the
               security policy:

                •  Symbolic links  may  not  be  edited  (version  1.8.15  and
                   higher).

                •  Symbolic links along the path to be edited are not followed
                   when  the parent directory is writable by the invoking user
                   unless that user is root (version 1.8.16 and higher).

                •  Files located in a directory that is writable by the invok‐
                   ing user may not be edited unless that user is  root  (ver‐
                   sion 1.8.16 and higher).

               Users are never allowed to edit device special files.

               If  the specified file does not exist, it will be created.  Un‐
               like most commands run by sudo, the editor is run with the  in‐
               voking  user's  environment  unmodified.  If the temporary file
               becomes empty after editing, the user will be  prompted  before
               it is installed.  If, for some reason, sudo is unable to update
               a file with its edited version, the user will receive a warning
               and the edited copy will remain in a temporary file.

tldr: it makes a copy of the file-to-be-edited in a temp directory, owned by you, and then runs your $EDITOR as your normal user (so, with your normal editor config)

note that sudo also includes a similar command which is specifically for editing /etc/sudoers, called visudo 🤪

@Flyswat@lemmy.dbzer0.com · 5 days ago

visudo is a life-saver since it adds some checks to prevent you from breaking your sudo configuration and locking you out of your system.